United States Patent [i9] 

Pogue, Jr. et al. 



US005 144667 A 

[1 1] Patent Number: 
[45] Date of Patent: 



5,144,667 
Sep. 1, 1992 



[54] METHOD OF SECURE REMOTE ACXrESS 

[75] Inventors: Russell W. Pogue, Jr., Kokomo, Ind.; 

Ronald L. Rivest, Arlington, Mass. 

[73] Assignee: Delco Electronics CorporatioQ, 
Kokomo, Ind. 

[21] Appl. No.: 630,626 

[22] Filed: Dec. 20, 1990 

[51] Int. a.5 : H04L 9/02 

[52] VS. a 380/45; 380/25; 

380/21; 340/825.31 

[58] Field of Search 380/21, 23, 25. 30, 

380/43, 44, 45, 46, 48, 49, 50; 340/825.31 

[56] References Cited 

U.S. PATENT DOCUMENTS 

3,911,397 10/1975 Freeny, Jr 380/23 X 

4,731,840 3/1988 Mniszewski et al 380/21 

4,746,788 5/1988 Kawana 380/23 X 

4,799.061 1/1989 Abraham et al; 380/23 X 



4,864,615 
4,942,393 



9/1989 
7/1990 



Bennett et al 380/21 

Waraksa et al 340/825.31 X 



Primary Examiner — Tod Swann 
Attorney, Agent, or Firm — A. Frank Duke 

[57] ABSTRACT 

Access to a vehicle by a remote electronic key via a 
radio link is secured by an exchange of encrypted sig- 
nals. A remote unit having a secret number is intro- 
duced to a base unit and a common key is agreed upon 
by an exponential key exchange. The common key is 
encrypted using the secret number and stored in the 
base unit. Thereafter, the base unit is able to authenti- 
cate the identity of the remote unit by sending the en- 
crypted common key smd a random number to the re- 
mote unit which decrypts the key and uses it to encrypt 
the random number. The random number is also en- 
crypted in the base imit and compared with the en- 
crypted random nimiber from the remote unit. 
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remote unit, and storing the common key and an en- 

METHOD OF SECXJRE REMOTE ACCESS crypted form of the common key in the base unit; then 

authenticating the remote unit by encrypting a random 

FIELD OF THE INVENTION number with the common key in the base unit, passing 

Tliis invention relates to a method of remotely ac ^ the encrypted common key and a challenge number 

cessing a secure system using encrypted keys which is ^om the base umt to the remote umt wherem the chd- 

appUcable to automotive vehicle entry. lenge number comprises the random number or the 

encrypted random number, decrypting the common 

BACKGROUND OF THE INVENTION j^gy in the remote unit, operating on the challenge num- 

It is well known to use digitally encoded signals over ber with the conunon key in the remote unit, and com- 

a radio link to open garage doors or unlock vehicle paring the results. 

doors, for example from a remote transrmtter. Com- ^^^^ DESCRIPTION OF THE DRAWINGS 
monly, systems employmg such control methods have a 

remote unit which may be carried in ones pocket or on The above and other advantages of the invention will 

a key chain and have a button which is pressed to issue become more apparent from the following description 

a command signal. It is very desirable to make such taken in conjunction with the accompanying drawings 

systems secure from unauthorized use. This is especially wherein like references refer to like parts and wherein: 

important when the remote transmitter is used not only FIG. 1 is a schematic diagram of a remote access 

to unlock a vehicle door but also to unlock the vehicle system for an automotive vehicle, 

ignition switch. When the signals are transmitted by ^0 FIG. 2 is a diagram of base unit and remote unit 

radio, it is possible for a person using electronic eaves- modes for the system of FIG. 1, 

dropping to record the signals for later retransmission FIQ. 3 is a diagram of initialization operations ac- 

to operate the vehicle. More elaborate signalling proce- cording to the invention, and 

dures are needed to preclude such practices. FIGS. 4 and 5 are diagrams of authentication opera- 
Encryption practices have been used for secure com- 25 ^^^^^ according to the invention, 
munications in areas of national security or for com- 
puter security, for example. To achieve the highest DESCRIPTION OF THE INVENTION 
security, rather elegant methods have been adopted. A yjie ensuing description is directed to a security 
number of recent developmwits are described m the ^^^^^ ^ designed for use in unlocking vehi- 
paper by Diffie. "The First Ten Yeais of I^xbhc-Key 30 ^^^^^ ^^^^^ ^ electronic key 
Cr)jto^aphy", Proc. IEEE, Vol 76, No. 5. May 1988. ^^^^j^ ^ ^ ^^^^ ^j^^. 
pp 560-577, which is mcorporated herein by reference. ^^^^ ^ ^^^^^^ unit can be used with an unlimited 
The RSA public key system described therein is a ^^^^ ^ ^ ^^^^ 
widely accepted security measure w^ch nught 1^ _ 

for vebcle secunty A P£?e^^^^«f. ^^^^^^ Z ' <=ver, that the method is apphcable as well to other uses 

tem, also described by Dmie, is the exponential key ' ■ i * • • -^u* i.- t 

exchange. This is used along with other Cryptographic ^ transmission withm a vehicle computer 

techniques in the system deLribed below. system secunty. vehicle identification for toU payments 

The proposed system has a unique remote miit which ^^i^^^,"^ 

can be positively verified by the base unit on the vehicle 40 ^O, 1 shows a vehicle 10 equipped with a remote 

and cannot be imitated. The system further has the access system mcludmg a base umt 12 m the vehicle 

foUowing objectives: * typically earned m the vehicle opera- 

1. It has a high level of security even if all communi- ^ofs pocket or purse. The units are coupled by radio 
cations can be monitored and all aspects of the communication effective over a short distance. As indi- 
design are known. 45 dotted lines 16 adjacent each vehicle door 

2. The remote unit cannot be copied or imitated even handle 18 and lines 20 adjacent the vehicle trunk, mini- 
with physical access to the unit. mum distances of only a few feet are required although 

3. One remote unit may be used with an unlimited a larger radius of communication is acceptable. It is 
number of base units. intended that when the operator carries the remote unit 

4. Compromise of one base unit shall not compromise 50 within radio range of the base unit the system wiU auto- 
other uses of the same remote unit. matically act to unlock the door without activation by 

5. No operator input is needed beyond sign-up initia- the operator, provided that the identification of the 
t^QQ remote unit can be verified. In some applications the 

6 All functions other than radio transmission can be units are activated only when the operator touches or 

implemented by a single IC for each unit which can 55 tries to operate the door handle 18. 

operate ai very low power and complete the nor- A randomly chosen secret key S, at least 56 bits long, 

mal functions in a fraction of a second. and a unique ID are permanently programmed in the 

remote unit (using an EPROM) at the time of manufac- 
SUMMARY OF THE INVENTION ^ure. By choosing S from a very large number of possi- 
It is therefore an object of the invention to provide a 60 bilities, S is probably unique but it is only necessary that 
method of positively authenticating a remote unit there be no way to determine S. In particular, the manu- 
through cryptographic techniques. facturing equipment that programs the remote units 
The invention is carried out in a secure remote access with their unique ID and secret S must destroy all mem- 
system having a base unit and a remote unit coupled by ory of S after it has verified proper programnxing. To 
a communication link, by a method of encrypted com- 65 keep S secret another bit is programmed to prevent 
munication comprising the steps of: registering the re- reading S and to prevent any further programming, 
mote unit with the base unit by establishing a common The base unit 12 and the remote unit 14 operate in 
key by communication between the base unit and the various modes as indicated in FIG. 2. The units must 
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first be initialized to randomly select a common key and exchange previbusly mentioned and which is set forth 
to register the remote ID with the base unit. This mode in U.S. Pat. No; 4,200 J70 entitled "Cryptographic Ap- 
is authprized by operator input such as by entry of ah paratus and Method" v Exponential key exchange allows 
access code on a keyboard in the vehicle. No other, a remote luiit and base, unit to mutiially agree upon a 
mode requires operator input. The initialization occuh 5 private key over an jmsccured chaiuifel as follows. The 
only once to introduce a remote unit to a base unit, remote unit and bai^ unit each secretly sblect a number, 
however, when a remote unit is used with more than F aid B, respectively. They then cpmput^^ 
one base unit or when a base unit is used with more than and M^imod.N, respectively, where N is a large prime 
one remote unit, an initialization must take place for number and both M aiid N arc known to everyone, 
each pair of units. 10 They exchange answers and then compute 

After being initialized, the remote unit assumes a :P=0^^.mo«i.N)^m9d.NandPsi=(M 
sleep state for low power consumption. When the re- rcsp^vclyi They each arrive at the same value, 
mote unit enters the radio range of the base unit, a P=M^^.mcd.N, from a different cx>mbinati^ 
wake-up mode is entered wherein a signal from the base and public information. A eavesdropper' cannot derive 
unit wakes up or alerts the remote unit to prepare its 13 this value because of the difficulty of deriving F or B 
circuits for interrogation. This starts the ID mode. Then from M^.mod.N or M*.mod.N for large N. P is then 
the base unit sends out ID signals corresponding to the shortened to the proper length and used as the, private 
various remote unit ID*s stored during initialization. If key for this particulu* remote unit and base unit pair, 
an ID signal matches the ID of the partictilar remote :^ To assure difficulty of deriving F or B, it is preferred 
unit in its range, the remote unit responds that a matbh 20 that they have a length of several hundred bits, al- 
has been made. The authentication mode is thien entered though k practical system may have only about 256 bits, 
to verify that the remote unit is indeed an authorized While the base unit 12 may have a random number 
unit. During this mode an exchange of encrypted sig- generator, this is not desirable for the remote unit 14. To 
nals based on the previously established common key provide such a large number F; haying a random nature, 
takes place. 25 a small random or pseudo-random seed nwhber is pro- 
After the wakeup, the general approach is for the videid by the base unit and passed to the remote unit, 
base unit 12 to ftfst identify which, if any, of several This seed is operated upon in conjunctibh with the 
authorized remote units 14 is in its vicinity by a cbnveh- secret key S to generate a number having 256 bits which 
tional polling scheme. The base unit then challenges the is used as the exponent F; 

remote unit for information that only the legitixhate 30 To allow a single remote unit to operate with an 

remote unit can have. The challenge and correct re- unlimited number of bise tmi 

sponse must be different each time to prevent accepting ber of different P's) the remote unit does hot store its 

the playback of a previous correct response. The cor- ; copy of P. It lets the base unit do thie storage. The re- 

rect response must not be related to the challenge in a mote unit first encrypts its copy of P using the built in 

simple way. For a secure system it should not be possi- 35 secret key, S, to give Q=S(P) then passes Q over the 

ble to deduce the correct response with full knowledge radio link to the bas^ unit. The biasc unit stores Q along 

of the system and all previous communications. with its ck>py of P and the rcnlotc unit ID in its^ to^^ 

Cryptographic techniques provide a means to accom- authorized users. This concludes the mitialization or 

plish this. A cryptosystcm performs a complicated sign-up procedure. , : 

transformation from input to output under the control 40 The initialization is diagrammol; in I^G. 3 which 
of a variable called the key; Knowing the correct key it illustrates the operations in each of the ba^ and remote 
is possible to do the inverse transformation and recover' units and the communications therebetween. First the 
^e original input. For an ideal cryptosystiem there base transmits the seed A to the remote umt which 
should be no better way to determine the input from the derives the exponent F from S ahd A; while the base 
output then trying all possible keys. By making this 45 selects an <;xpoheht B, The^^ unit calculates the 
number large enough it becomes imfeasible to break the ; particular remainder for its respective calculated expo- 
system even using a very high speed computer. An nenUal and traminits only the remainder to the other 
example of such a system is the data encryptioti stan- unit: Each unit calculates P by combining the local 
dard (D£S) approved by National Bureau of Standards remainder and the received remainder. The base stores 
and National Security Agency as suitable for computer 50 P while ^e remote unit encrypts P using secret key S 
data security, electronic funds transfer, etc. short of and passes it to the base: for storage. The ID is passed to 
national seciuity. DES uses a 56 bit key for about 72 the base for storage as well. : 

quadrillion possibilities. Other inethods of; selecting a common key may be 

Conventional cryptosystems, such as DES, use the ; used. The prime requisite is that\tlie units agree on a 

same key for both encryption and decryption; Each pair 55 randomly selected key in a secure niiBLnnen Public key 

needing to communicate securely must have an individ- cryptography may be used for this purpose. Public key 

uial key known to both but not anyone else. Security is cryptosystems use ; different keys ' for encryption and 

a matter of keeping this private key secure: Public key decryption where one caimot be disi^ 

cryptosystems use different keys for encryption and other, l^c ateve mentioned RSA piib^^ 

decryption where one cannot be easily derived from the 60 suitable. The'public key system is used tio communicate 

other. The degree of difficulty can be made wcry high a common key for the biise and remote units and the key 

by making the keys su£^iciently long. . is encrypted by the remote unit wd^a^^ 

The stated objectives can be met while staying;withih . unit as diacribed above, 

the constraints of low power consumption and quick After the remote unit is ref^tered With tbe.base unit 

response with a combination of a private key cryptoisys- 65 as an authorized user, the reinote unit can forget every- 

tem and either the RSA public key system disclosed in thihjg except the secriet key, S, anci its ID. When the base 

U.S Pat. No. 4,405,829 entitied "Cryptographic Com- linit wishes to cludlenge the remote unit to prove its 

munication System and Method" or the exponential key identity, it passes to the remote unit the encrypted pri- 
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vate key, Q, and a random number, R. This pair of It is not necessary to include a random number gener- 

numbers comprises the challenge. The remote unit uses ator in the IC. For the base unit a host computer can 

its secret key to decrypt Q to give P. It then uses P to perform this function in software. The remote unit does 

encrypt R to give X=P(R) which it returns to the base not need its own random numbers. During sign-up the 
unit. Meanwhile the base unit usies its copy of P to en- 5 remote unit needs a seed number which is different each 

crypt R to give X— P(R). The base unit compares the time. As described above, a different number is pro- 

X's and if they match the remote unit is accepted as vided by the base unit and the remote unit makes it 

authentic. secret by encrypting it with the secret key S. The num- 

The authentication method (as well as the ID interro- ber is both unpredictable and secret without an explicit 
gation) is diagrammed in FIG. 4 which illustrates the l^ random number generator. 

operations in each of the base and remote units. The Only the correct remote unit, the one with which 

base unit has stored the key P, the ID and the encrypted keys were initially exchanged, can provide the correct 

key Q while the remote unit remembers the ID and S. answer because only it has the correct S to transform Q 

The base unit transmits the ID. and the remote unit to P. lo effect, S is only used by the remote unit to 

compares it with its ID, and if there is a match a reply communicate with itself at a later time. There is never 

is transmitted to the base. When no reply is received the any need or ability for S to be shared, 

next ID stored in the base is transmitted. When a reply The embodiments of the invention in which an cxclu- 

is received, a random number R is generated and sent to sive property or privilege is claimed are defined as 

the remote unit along with the Q which corresponds to follows: 

the ID which was matched in the remote unit. The 1. In a secure remote access system having a base unit 

remote unit decrypts Q to get P and encrypts R to get and a remote unit coupled by a communication link, the 

X and passes it to the base. In the meantime the base also remote unit containing a private key known only to that 

encrypts R to get X and compares the two X*s. particular remote unit, a method of authentication of 

FIG. 5 shows a variant on the above described au- the remote unit comprising the steps of: 

thentication operation. Here, R is encrypted to get X registering the remote unit with the base unit by es- 

and the challenge comprises X and Q which are both tablishing a randomly selected common key 

decrypted in the remote unit to obtain R which is passed through communication between the base unit and 

to the base unit and compared with the original R to the remote unit in a manner that maintains the 

determine whether there is a match. privacy of the common key, and storing the com- 

To provide tolerance to faulty communications two mon key and an encrypted form of the common 

different strategies are used. Some communications, key in the base unit; 

such as the challenge and key exchange, must be perfect then authenticating the remote unit by encrypting a 

because the encryption process has the effect of ran- random number with the common key in the base 

domizing the entire output if any input bit is changed. 33 unit, passing the encrypted common key and a 

When conununications are usually good but sometimes challenge number from the base unit to the remote 

very bad and retransmission is possible, error detection unit wherein the challenge number comprises one 

can be more effective than error correction coding. A of the random number and the encrypted random 

cyclic redundancy check with retransmission on re- number, decrypting the common key in the remote 

quest is preferred for critical messages. 40 unit, operating on the challenge number with the 

For other communications close is good enough. The conunon key in the remote imit and passing the 

correct response to the challenge is akeady known to result to the base unit, and comparing the results, 

the base unit The probability of a random response 2. The invention as defined in claim 1 wherein the 

having 57 or more of the total of 64 bits correct is about step of authenticating the remote unit comprises passing 

1 in 700 million. During polling the remote unit is look- 45 the encrypted common key and a random number from 
ing for its specific ID. By selecting the ID*s properly at the base unit to the remote unit, decrypting the conunon 
the time of manufacture, all ID can be guaranteed to key in the remote unit, encrypting the random number 
differ by some number of bits. For example 67 million with the common key in the remote unit, and compar- 
32 bit ID*s can made to differ by at least four bits. The ing the results. 

remote unit can answer to an ID that comes within 1 or 50 3. The invention as defmed in claim 1 wherein the 

2 or even 3 bits of its own with very high confidence. challenge number is the encrypted random number, and 
This is a passive form of error correction. Similarly, the the step of operating on the challenge number com- 
final comparison step of the authentication procedure prises decrypting the challenge nimiber with the corn- 
does not have to require an exact match of all bits so . mon key to reveal the random number, and passing the 
long as there is a high probability that the remote unit 55 random number to the base unit for comparison with 
determined the correct value in response to the chal- the original random number. 

lenge. 4. The invention as defined in claim 1 wherein the 
Both security and economic needs can be met by common key is established by exponential key ex- 
putting all the functions except the radio transceiver on change. 

a single IC. Secret information caimot be extracted 60 5. The invention as defined in claim 1 wherein the 

from the IC without destroying it and then it is ex- common key is established by a public key crypto- 

tremely difficult. The base unit performs many of the graphic method. 

same functions as the remote unit. The IC can be de- 6. The invention as defined in claim 1 wherein a se- 

signed to do either by providing a mode selection and cret code is stored in the remote unit, and is used as a 
host computer port. The base imit contains a host com- 65 key for encrypting and decrypting the common key. 

puter to interface to the vehicle and to maintain the 7. The invention as defined in claim 1 wherein a se- 

authorization list. The host port can also facilitate pro- cret code is stored in the remote unit, and. including the 

duction testing. steps of passing a random seed to the remote imit and 
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